Can any Squid gurus help me?

Discussion in 'NZ Computing' started by MarkH, Sep 18, 2005.

  1. MarkH

    MarkH Guest

    So at the moment I am trying to upgrade my server from Win2003 Server to
    SUSE 9.3 and I have achieved some success. But I am having trouble getting
    Squid working how I want.

    I am using Squid 2.5 (stable).

    I have googled for answers and have managed to get my squid.conf to the
    point where I can access the internet from a web browser by providing the
    port and IP address of the proxy server.

    But the problem is that I also want to access the internet from my
    newsreader program which seems to lack info about a proxy server and my
    flatmate uses torrent.

    What I would like to do is set up Squid to work with all ports that I
    specify and to listen on those ports and provide internet in a transparent
    way. I want to have the apps working without configuring a proxy just like
    they do with Winproxy running on the server under windows.

    The SUSE 9.3 server has no problem with any app on it accessing the
    internet through the NIC that is connected to the router and Squid is now
    happy to work with the right settings in the squid.conf. But the manual is
    long and fully understanding all the options would take so long, I just
    want to know what lines to put in the conf file to get this puppy working.

    Setting localnet to 192.168.0.0/255.255.255.0 defines the local network,
    apart from that everything else in my conf file should be identical to
    anyone else's conf file. In other words anyone that has Squid working the
    way that I want has essentially the same thing in their conf file as I
    should have, so if they could post the text from their conf file then I
    could copy and paste that to have mine working. All I should have to do is
    change the localnet address and maybe specify the ports that I am wanting
    to use and voila it should be working.


    My setup is:
    NIC1 - 192.168.0.1 connected to local network.
    NIC2 - 192.168.1.2 connected to ADSL router (192.168.1.1)
    The other PCs have the gateway and DNS set to 192.168.0.1

    Can any Squid gurus tell me what I need in my conf?


    --
    Mark Heyes (New Zealand)
    See my pics at www.gigatech.co.nz (last updated 5-September-05)
    "The person on the other side was a young woman. Very obviously a
    young woman. There was no possible way she could have been mistaken
    for a young man in any language, especially Braille."
    Maskerade
     
    MarkH, Sep 18, 2005
    #1
    1. Advertising

  2. MarkH

    thing2 Guest

    MarkH wrote:
    > So at the moment I am trying to upgrade my server from Win2003 Server to
    > SUSE 9.3 and I have achieved some success. But I am having trouble getting
    > Squid working how I want.
    >
    > I am using Squid 2.5 (stable).
    >
    > I have googled for answers and have managed to get my squid.conf to the
    > point where I can access the internet from a web browser by providing the
    > port and IP address of the proxy server.
    >
    > But the problem is that I also want to access the internet from my
    > newsreader program which seems to lack info about a proxy server and my
    > flatmate uses torrent.


    news is a different port, 119, squid wont proxy that.

    torrent is I believe also a different port....

    >
    > What I would like to do is set up Squid to work with all ports that I
    > specify and to listen on those ports and provide internet in a transparent
    > way.


    If you want transparent proxying then you need iptables to re-direct
    outgoing port 80 traffic upto the squid port which is 1080 or 8080 or
    what ever you want it to be.

    I want to have the apps working without configuring a proxy just like
    > they do with Winproxy running on the server under windows.


    Then transparent is what you want.

    > The SUSE 9.3 server has no problem with any app on it accessing the
    > internet through the NIC that is connected to the router and Squid is now
    > happy to work with the right settings in the squid.conf. But the manual is
    > long and fully understanding all the options would take so long, I just
    > want to know what lines to put in the conf file to get this puppy working.
    >
    > Setting localnet to 192.168.0.0/255.255.255.0 defines the local network,
    > apart from that everything else in my conf file should be identical to
    > anyone else's conf file. In other words anyone that has Squid working the
    > way that I want has essentially the same thing in their conf file as I
    > should have, so if they could post the text from their conf file then I
    > could copy and paste that to have mine working. All I should have to do is
    > change the localnet address and maybe specify the ports that I am wanting
    > to use and voila it should be working.


    Does web browsing work?

    > My setup is:
    > NIC1 - 192.168.0.1 connected to local network.
    > NIC2 - 192.168.1.2 connected to ADSL router (192.168.1.1)
    > The other PCs have the gateway and DNS set to 192.168.0.1
    >
    > Can any Squid gurus tell me what I need in my conf?
    >
    >



    regards

    Thing
     
    thing2, Sep 19, 2005
    #2
    1. Advertising


  3. >
    > What I would like to do is set up Squid to work with all ports that I
    > specify and to listen on those ports and provide internet in a transparent
    > way. I want to have the apps working without configuring a proxy just like
    > they do with Winproxy running on the server under windows.


    Squid is primarily an HTTP proxy[1]. It differs from winproxy in that
    respect - winproxy proxies everything.

    What you can do is set up a SOCKS5 proxy on your gateway as well, and
    configure your applications to use that.

    However, there is no way that I know of to have a transproxy work for
    all protocols. SOCKS5 proxies require authentication, so you can't just
    transproxy to them. Winproxy handles it by installing libraries on each
    client machine which intercept socket calls and redirect them, and it
    silently uses NTLM auth with your existing credentials to authenticate.

    If you absolutely want to proxy, then you'll have to use squid for
    http/https/ftp, and socks5 for everything else. However, you probably
    don't need to. You can perform NAT to allow outward access for the
    protocols you want - or just allow everything out via NAT.

    Without knowing more about your side, it's hard to give a good
    recommendation. But, with what you've said, I'd say: setup iptables on
    the SUSE server to NAT your internal network onto the external
    interface. Or, if your router already does NAT for you, put all your
    machines on the same subnet and put the router as the gateway, and let
    it NAT for you.


    [1] A lot of protocols will use HTTP proxies, eg MSN, but this is
    because they are written in a way that they can use an HTTP proxy. It's
    still an HTTP proxy though.... :)
     
    Daniel Lawson, Sep 19, 2005
    #3
  4. MarkH

    Shane Guest

    On Mon, 19 Sep 2005 13:31:43 +1200, Daniel Lawson wrote:

    >
    >
    >> What I would like to do is set up Squid to work with all ports that I
    >> specify and to listen on those ports and provide internet in a
    >> transparent way. I want to have the apps working without configuring a
    >> proxy just like they do with Winproxy running on the server under
    >> windows.

    >
    > Squid is primarily an HTTP proxy[1]. It differs from winproxy in that
    > respect - winproxy proxies everything.
    >
    > What you can do is set up a SOCKS5 proxy on your gateway as well, and
    > configure your applications to use that.
    >
    > However, there is no way that I know of to have a transproxy work for all
    > protocols. SOCKS5 proxies require authentication, so you can't just
    > transproxy to them. Winproxy handles it by installing libraries on each
    > client machine which intercept socket calls and redirect them, and it
    > silently uses NTLM auth with your existing credentials to authenticate.
    >
    > If you absolutely want to proxy, then you'll have to use squid for
    > http/https/ftp, and socks5 for everything else. However, you probably
    > don't need to. You can perform NAT to allow outward access for the
    > protocols you want - or just allow everything out via NAT.
    >
    > Without knowing more about your side, it's hard to give a good
    > recommendation. But, with what you've said, I'd say: setup iptables on the
    > SUSE server to NAT your internal network onto the external interface. Or,
    > if your router already does NAT for you, put all your machines on the same
    > subnet and put the router as the gateway, and let it NAT for you.
    >
    >
    > [1] A lot of protocols will use HTTP proxies, eg MSN, but this is because
    > they are written in a way that they can use an HTTP proxy. It's still an
    > HTTP proxy though.... :)


    Hmm yeah, a proxy does seem overkill here, when a simple NAT gateway would
    suffice, perhaps Mark is wanting to cache?

    http://iptables-tutorial.frozentux.net/iptables-tutorial.html

    http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html


    --
    Hardware, n.: The parts of a computer system that can be kicked

    The best way to get the right answer on usenet is to post the wrong one.
     
    Shane, Sep 19, 2005
    #4

  5. >
    > Hmm yeah, a proxy does seem overkill here, when a simple NAT gateway would
    > suffice, perhaps Mark is wanting to cache?


    Caching HTTP and FTP makes sense (and squid will only cache these
    protocols, nothing else). Caching other protocols doesn't make a lot of
    sense (why cache your mail or IM?)

    Having a caching HTTP/FTP server in place, via transproxying for 'zero
    configuration', and doing NAT on the rest of the traffic is a good mix
    though.

    Incidentally, if you don't mind doing some small amount of
    configuration, which can be automated through GPO or other policy
    methods, you can tell your webbrowser to use a proxy autoconfiguration
    script. This is a small jscript which tells your browser whether to use
    a proxy or not for the destination. Simplifies proxy configuration quite
    a bit, as once the clients are configured, you can change proxy setups
    by changing the jscript (hosted on a local webserver). Look up
    www.wlug.org.nz/WPAD for notes on this
     
    Daniel Lawson, Sep 19, 2005
    #5
  6. MarkH

    MarkH Guest

    thing2 <> wrote in
    news:p:

    > MarkH wrote:
    >> So at the moment I am trying to upgrade my server from Win2003 Server
    >> to SUSE 9.3 and I have achieved some success. But I am having
    >> trouble getting Squid working how I want.
    >>
    >> I am using Squid 2.5 (stable).
    >>
    >> I have googled for answers and have managed to get my squid.conf to
    >> the point where I can access the internet from a web browser by
    >> providing the port and IP address of the proxy server.
    >>
    >> But the problem is that I also want to access the internet from my
    >> newsreader program which seems to lack info about a proxy server and
    >> my flatmate uses torrent.

    >
    > news is a different port, 119, squid wont proxy that.
    >
    > torrent is I believe also a different port....


    So that means I am trying to set up the wrong tool for the job?

    >> What I would like to do is set up Squid to work with all ports that I
    >> specify and to listen on those ports and provide internet in a
    >> transparent way.

    >
    > If you want transparent proxying then you need iptables to re-direct
    > outgoing port 80 traffic upto the squid port which is 1080 or 8080 or
    > what ever you want it to be.


    OK, I'll have to read up on iptables.

    > I want to have the apps working without configuring a proxy just like
    >> they do with Winproxy running on the server under windows.

    >
    > Then transparent is what you want.


    Yes, I believe that would be the simplest thing.

    > Does web browsing work?


    Only if I fill in the proxy details, I would prefer it to work
    transparently. Surely this is possible, if an app in Windows can do it
    then Linux must be able to do it.

    Sometimes I think that I am putting a lot of effort into getting
    something to work in Linux that is ultra simple to do in Windows with a
    well written app. To be honest it seems that is the case, but I am also
    learning about Linux and how to set up a server - I like to learn
    things. Besides which it is not like Linux is not as good, it just takes
    a bit more to learn how to achieve the desired results.


    --
    Mark Heyes (New Zealand)
    See my pics at www.gigatech.co.nz (last updated 5-September-05)
    "The person on the other side was a young woman. Very obviously a
    young woman. There was no possible way she could have been mistaken
    for a young man in any language, especially Braille."
    Maskerade
     
    MarkH, Sep 19, 2005
    #6
  7. MarkH

    MarkH Guest

    Daniel Lawson <> wrote in
    news::

    > What you can do is set up a SOCKS5 proxy on your gateway as well, and
    > configure your applications to use that.


    OK, so what SOCK5 proxy would you suggest?

    > However, there is no way that I know of to have a transproxy work for
    > all protocols. SOCKS5 proxies require authentication, so you can't
    > just transproxy to them. Winproxy handles it by installing libraries
    > on each client machine which intercept socket calls and redirect them,
    > and it silently uses NTLM auth with your existing credentials to
    > authenticate.


    How does Winproxy install libraries on each client? All I do on the
    clients is set the Gateway and DNS address to that of the server and SOCKS
    works fine, as does News and Torrents.

    > If you absolutely want to proxy, then you'll have to use squid for
    > http/https/ftp, and socks5 for everything else. However, you probably
    > don't need to. You can perform NAT to allow outward access for the
    > protocols you want - or just allow everything out via NAT.


    > Without knowing more about your side, it's hard to give a good
    > recommendation. But, with what you've said, I'd say: setup iptables on
    > the SUSE server to NAT your internal network onto the external
    > interface. Or, if your router already does NAT for you, put all your
    > machines on the same subnet and put the router as the gateway, and let
    > it NAT for you.


    OK, iptables sounds like the go, at least for all but http and https and
    ftp.



    --
    Mark Heyes (New Zealand)
    See my pics at www.gigatech.co.nz (last updated 5-September-05)
    "The person on the other side was a young woman. Very obviously a
    young woman. There was no possible way she could have been mistaken
    for a young man in any language, especially Braille."
    Maskerade
     
    MarkH, Sep 19, 2005
    #7
  8. MarkH

    MarkH Guest

    Shane <-a-geek.net> wrote in
    news:p-a-geek.net:

    > Hmm yeah, a proxy does seem overkill here, when a simple NAT gateway
    > would suffice, perhaps Mark is wanting to cache?


    I don't really need a caching proxy, just having the server proxy my internet
    requests (through whatever method works best) would suffice.

    > http://iptables-tutorial.frozentux.net/iptables-tutorial.html
    >
    > http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.ht
    > ml


    These seem to be some links to helpful info, I shall have a good read.
    Thanks for that.

    It shouldn't be too hard to work out which ports I need to set up iptables
    for, once I have read up a bit and understand what I am doing I will give it
    a try. I'll test first with port 119, once I have that working I shouldn't
    have too much trouble adding other ports.

    I may skip ports 25 and 110, maybe someone could suggest the easiest mail
    server to use on Linux instead of MDaemon in Windows? I suppose this is
    essentially a caching proxy for mail :) But yeah, I want to pick up mail
    from a master account (pop3) and put it into the right mailboxes depending on
    the address and I also want to pick up mail from other pop3 accounts and put
    it into specific mailboxes for each account it comes from. This is
    essentially what MDaemon calls 'domainPOP' and 'multiPOP'.


    --
    Mark Heyes (New Zealand)
    See my pics at www.gigatech.co.nz (last updated 5-September-05)
    "The person on the other side was a young woman. Very obviously a
    young woman. There was no possible way she could have been mistaken
    for a young man in any language, especially Braille."
    Maskerade
     
    MarkH, Sep 19, 2005
    #8
  9. In article <>,
    thing2 <> wrote:

    >torrent is I believe also a different port....


    You mean BitTorrent? That doesn't use any fixed ports, since all
    connections are mediated through trackers.
     
    Lawrence D'Oliveiro, Sep 19, 2005
    #9
  10. MarkH

    thing2 Guest

    MarkH wrote:
    > thing2 <> wrote in
    > news:p:
    >
    >
    >>MarkH wrote:
    >>
    >>>So at the moment I am trying to upgrade my server from Win2003 Server
    >>>to SUSE 9.3 and I have achieved some success. But I am having
    >>>trouble getting Squid working how I want.
    >>>
    >>>I am using Squid 2.5 (stable).
    >>>
    >>>I have googled for answers and have managed to get my squid.conf to
    >>>the point where I can access the internet from a web browser by
    >>>providing the port and IP address of the proxy server.
    >>>
    >>>But the problem is that I also want to access the internet from my
    >>>newsreader program which seems to lack info about a proxy server and
    >>>my flatmate uses torrent.

    >>
    >>news is a different port, 119, squid wont proxy that.
    >>
    >>torrent is I believe also a different port....

    >
    >
    > So that means I am trying to set up the wrong tool for the job?
    >
    >
    >>>What I would like to do is set up Squid to work with all ports that I
    >>>specify and to listen on those ports and provide internet in a
    >>>transparent way.

    >>
    >>If you want transparent proxying then you need iptables to re-direct
    >>outgoing port 80 traffic upto the squid port which is 1080 or 8080 or
    >>what ever you want it to be.

    >
    >
    > OK, I'll have to read up on iptables.
    >
    >
    >>I want to have the apps working without configuring a proxy just like
    >>
    >>>they do with Winproxy running on the server under windows.

    >>
    >>Then transparent is what you want.

    >
    >
    > Yes, I believe that would be the simplest thing.
    >
    >
    >>Does web browsing work?

    >
    >
    > Only if I fill in the proxy details, I would prefer it to work
    > transparently. Surely this is possible, if an app in Windows can do it
    > then Linux must be able to do it.


    Yes its known as transparent proxing, or using iptables to re-direct the
    port 80 traffic up to the squid port.

    Use NAT for everything else and let it out directly, there is no point
    in cacheing bit-torrent traffic etc.....

    > Sometimes I think that I am putting a lot of effort into getting
    > something to work in Linux that is ultra simple to do in Windows with a
    > well written app.


    Actually a well written wizard, however the wizard presents menus often
    based on your previous choices, this might do 90% of the cases, but as
    software gets more and more complex this gets harder and harder to do.
    Then of course you have to do it manually for that 10%.

    Often Windows and its wizards is ideal for simple and small deployments
    as is in your case. The problems arise as you try and get such simple
    deployments into larger and larger businesses and more and more complex
    environments, then the theoretical advantages of Window's wizards loose
    their shine as interconnection becomes complex.

    To be honest it seems that is the case, but I am also
    > learning about Linux and how to set up a server - I like to learn
    > things. Besides which it is not like Linux is not as good, it just takes
    > a bit more to learn how to achieve the desired results.


    Yes that is very true, sorta. Windows lets you point and click, it then
    usually works, but if you have no real understanding of what goes on
    underneath then security may not be correct, performance,
    capability.....Linux forces you to read and understand so when you set
    it up, while it takes more time and effort the end result is usually better.

    The huge problems businesses and vendors face is lack of scalability add
    in a huge increase in complaxity and availability.....cracks are
    appearing all over the place as IT tries to live up to the salesmen's
    promises......

    In saying that a lot of purely OSS stuff actually now sets itself up
    very well, the main problem is the breadth of capability and number of
    platforms OSS could be on and jobs it does, "wizrads" cant cover
    everything.

    What I am experiencing myself is as 3rd party commercial vendors move
    onto linux offering this sort of ease of setup the result is not good.
    I am seeing the same sort of issues with poor quality buggy crao I used
    to blame on a windows platform. The GPL / OSS stuff on Linux is good it
    is just when a commercial entity/vendor comes into that it is seriously
    F*&^ed up.

    This does not make windows blamless there is still serious DLL hell
    issues hence this virtual server rubbish to get around it, its nothing
    more than a make over because the underlying bugs are too hard to fix.....

    regards

    Thing
     
    thing2, Sep 19, 2005
    #10

  11. >>What you can do is set up a SOCKS5 proxy on your gateway as well, and
    >>configure your applications to use that.

    >
    >
    > OK, so what SOCK5 proxy would you suggest?


    I wouldn't, really. But SUSE will have a socks5 proxy you can install,
    no doubt.


    > How does Winproxy install libraries on each client? All I do on the
    > clients is set the Gateway and DNS address to that of the server and SOCKS
    > works fine, as does News and Torrents.


    Hm. Last time I used it (NT4 SBS) you had to install something on each
    client machine for it to work. So maybe that's changed.

    If you set the server up as your gateway I presume it's just doing NAT
    instead, and the winproxy configuration is just controlling rulesets.
     
    Daniel Lawson, Sep 20, 2005
    #11

  12. > I may skip ports 25 and 110, maybe someone could suggest the easiest mail
    > server to use on Linux instead of MDaemon in Windows? I suppose this is
    > essentially a caching proxy for mail :) But yeah, I want to pick up mail
    > from a master account (pop3) and put it into the right mailboxes depending on
    > the address and I also want to pick up mail from other pop3 accounts and put
    > it into specific mailboxes for each account it comes from. This is
    > essentially what MDaemon calls 'domainPOP' and 'multiPOP'.



    fetchmail for retrieving mail from pop3 accounts and delivering locally

    cyrus or courier to act as a local POP / IMAP server

    exim or postfix for your MTA (SMTP server).


    There are howtos around on setting some combination of these up.
     
    Daniel Lawson, Sep 20, 2005
    #12
  13. MarkH

    MarkH Guest

    Daniel Lawson <> wrote in
    news::

    >
    >>>What you can do is set up a SOCKS5 proxy on your gateway as well, and
    >>>configure your applications to use that.

    >>
    >>
    >> OK, so what SOCK5 proxy would you suggest?

    >
    > I wouldn't, really. But SUSE will have a socks5 proxy you can install,
    > no doubt.
    >
    >
    >> How does Winproxy install libraries on each client? All I do on the
    >> clients is set the Gateway and DNS address to that of the server and
    >> SOCKS works fine, as does News and Torrents.

    >
    > Hm. Last time I used it (NT4 SBS) you had to install something on each
    > client machine for it to work. So maybe that's changed.


    You are thinking of the same software right? I am talking about Ositis
    WinProxy which is a firewall/caching WWW proxy/SOCKS proxy/transparent
    proxy. When installed it detects all network connections and invites the
    user to specify which is the internal network - then it just works. The
    only configuration that I have done is to set NAT for a couple of incoming
    ports and adding sites to the blocked pages (blacklist). No problem using
    HTTP, HTTPS, FTP, NNTP, P2P Filesharing, POP and SMTP.

    Not to be confused with MS Proxy (Which was later replaced with ISA
    Server).



    --
    Mark Heyes (New Zealand)
    See my pics at www.gigatech.co.nz (last updated 5-September-05)
    "The person on the other side was a young woman. Very obviously a
    young woman. There was no possible way she could have been mistaken
    for a young man in any language, especially Braille."
    Maskerade
     
    MarkH, Sep 20, 2005
    #13
  14. MarkH wrote:
    >>>>What you can do is set up a SOCKS5 proxy on your gateway as well, and
    >>>>configure your applications to use that.
    >>>
    >>>OK, so what SOCK5 proxy would you suggest?

    >>
    >>I wouldn't, really. But SUSE will have a socks5 proxy you can install,
    >>no doubt.
    >>
    >>>How does Winproxy install libraries on each client? All I do on the
    >>>clients is set the Gateway and DNS address to that of the server and
    >>>SOCKS works fine, as does News and Torrents.

    >>
    >>Hm. Last time I used it (NT4 SBS) you had to install something on each
    >>client machine for it to work. So maybe that's changed.

    >
    > You are thinking of the same software right? I am talking about Ositis
    > WinProxy which is a firewall/caching WWW proxy/SOCKS proxy/transparent
    > proxy. When installed it detects all network connections and invites the
    > user to specify which is the internal network - then it just works. The
    > only configuration that I have done is to set NAT for a couple of incoming
    > ports and adding sites to the blocked pages (blacklist). No problem using
    > HTTP, HTTPS, FTP, NNTP, P2P Filesharing, POP and SMTP.
    >
    > Not to be confused with MS Proxy (Which was later replaced with ISA
    > Server).


    And to be clear, the Microsoft Proxy Server that shipped with NT4 SBS
    did not need to have something installed on each client machine for it
    to work.

    Proxy Server would work fine as a proxy server, just by pointing your
    browser at the servers internal IP address.

    The something referred to was the Microsoft Proxy Client, which
    redirected Winsock calls to the Microsoft Proxy Server, so that you
    didn't need to manually setup your Internet apps, and point them at the
    Server. Likewise if your internet application made requests on one
    port, but was expecting a reply on another port "it just works"

    Cheers
    Nathan
     
    Nathan Mercer, Sep 20, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pavlov
    Replies:
    1
    Views:
    633
    Andrej Brkic
    Dec 2, 2004
  2. Anonymous

    Any Outlook gurus out there?

    Anonymous, Feb 16, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    480
    Spider
    Feb 16, 2004
  3. Networking Student
    Replies:
    4
    Views:
    1,342
    vreyesii
    Nov 16, 2006
  4. Daniel

    Any headset gurus out there?

    Daniel, Jun 9, 2005, in forum: NZ Computing
    Replies:
    6
    Views:
    366
    Aaron Lawrence
    Jun 11, 2005
  5. Dave Hardenbrook

    Any PPPoE gurus here?

    Dave Hardenbrook, Dec 16, 2006, in forum: A+ Certification
    Replies:
    2
    Views:
    549
    smackedass
    Dec 17, 2006
Loading...

Share This Page